Data Processing Agreement
Last Edited: August 7, 2024
Last Edited: August 7, 2024
This HumanQ Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the HumanQ Services, which are provided pursuant to the HumanQ Small Business Customer Terms of Service available at https:humanq.com/sb-terms-of-service, as applicable, between you and us (also referred to in this DPA as the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
Definitions.
- “CCPA” means the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, in each case as amended from time to time.
- “Controller” means the entity that determines the purposes and means of the processing of Personal Data.
- “Data Protection Laws” means the data privacy and security laws and regulations of any jurisdiction applicable to the Processing of Personal Data, including, to the extent applicable, European Data Protection Laws and the CCPA.
- “European Data Protection Laws” means, in each case to the extent applicable to the relevant Personal Data or processing thereof under the Agreement, (a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), (b) laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the United Kingdom, including the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018 (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“Swiss FADP”); and (d) any other data protection laws of the European Economic Area and its Member States.
- “Permitted Purposes” means, (a) in the case of Company, the permitted uses of User Analytics set forth in Section 5 of the Agreement, and (b) in the case of HumanQ, to provide the Platform and its other products and services to Company and Users and as otherwise set forth in the HumanQ Privacy Policy, available at humanq.com/privacy-policy/.
- “Personal Data” means any information that constitutes “personal information,” “personal data,” “personally identifiable information,” or similar term under applicable Data Protection Laws.
- “Sensitive Personal Data” means any Personal Data that is classified as “sensitive,” “special category,” or similar term under Data Protection Laws, including without limitation an individual’s (i) government-issued identification number, including Social Security number, driver’s license number, or state-issued identification number; (ii) financial account number, credit report information, or credit, debit, or other payment cardholder information, with or without any required security or access code, personal identification number, or password that permits access to the individual’s financial account; or (iii) genetic or health information.
- “SCCs” means Module One (Transfer controller to controller) of the standard contractual clauses approved by the European Commission’s implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 or the European Parliament and of the Council (currently available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1688587744942), as supplemented or modified by Appendix 1.
- Role of the Parties; Compliance. With respect to any Personal Data provided by or on behalf of one Party (the “Data Provider”) to the other Party (the “Data Recipient”) under the Agreement, the Parties acknowledge and agree that each Party will act as a separate and independent Controller for purposes of Data Protection Laws. Data Recipient will: (a) comply with applicable Data Protection Laws in its creation, collection, receipt, access, use, storage, disposal, disclosure, and other processing of Personal Data received from Data Recipient under the Agreement; (b) taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk to such Personal Data; and (c) ensure that any person acting under its authority who has access to such Personal Data is subject to an appropriate confidentiality obligation. Data Provider will, as applicable, obtain valid consent from data subjects to the extent required by Data Protection Laws for the transfer of Personal Data to Data Recipient under the Agreement.
- Processing Subject to the CCPA. As used in this Section, the terms “Sell,” “Share,” “Business Purpose,” “Commercial Purpose,” and “Personal Information” shall have the meanings given in the CCPA. The Parties acknowledge that any Personal Information disclosed by the Data Provider to the Data Recipient under this Agreement is provided only for the Permitted Purposes, as applicable. The Data Recipient will comply with applicable obligations under the CCPA with respect to such Personal Information and provide the same level of privacy protection to such Personal Information as is required by the CCPA. The Data Provider has the right to take reasonable and appropriate steps to help ensure that that the Data Recipient uses the Personal Information transferred in a manner consistent with the Data Provider’s obligations under the CCPA by exercising its rights under the Agreement and this Addendum. The Data Recipient will notify the Data Provider if it makes a determination that it can no longer meet its obligations under the CCPA. If the Data Recipient notifies the Data Provider of unauthorized use of Personal Information received from the Data Provider, including under the foregoing sentence, the Data Provider will have the right to take reasonable and appropriate steps to stop and remediate such unauthorized use by limiting the Personal Information shared with the Data Recipient or taking such other steps mutually agreed between the Parties in writing.
- Restriction on Sensitive Personal Data. Company shall not provide any Sensitive Personal Data to HumanQ unless agreed by the Parties in an applicable Order Form. The Parties acknowledge and agree that HumanQ shall have no responsibility or liability for any Sensitive Personal Data erroneously or inadvertently transferred to HumanQ under the Agreement.
- Data Subject Requests. Each Party shall be independently responsible for receiving and responding to requests or complaints from data subjects in respect of Personal Data for which such Party is a Controller under the Agreement, including any request to exercise such individual’s rights under Data Protection Laws (e.g., to access, correct, delete Personal Data).
- Data Transfers. If Data Provider transfers Personal Data subject to European Data Protection Laws to Data Recipient in a country whose laws have not been deemed by the European Commission or other applicable data protection authority to provide an adequate level of protection for Personal Data, and such transfer is not subject to an alternative adequate transfer mechanism or otherwise exempt from transfer restrictions under European Data Protection Laws, the Parties agree that the SCCs will be incorporated herein by reference, as applicable. The SCCs shall automatically terminate with respect to a given transfer once the transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such SCCs on any other basis.
- Each Party’s liability arising out of or related to this Addendum, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in Section 12 of the Agreement, and any reference to such limitation of liability of a Party means the aggregate liability of the Party under the Agreement and this Addendum together. Additionally, each Party shall be independently liable for its own processing of Personal Data to the extent such processing does not comply with Data Protection Laws. In the event of a conflict between the terms of the Agreement and the terms of this Addendum, the terms and provisions of this Addendum shall prevail with regard to data protection matters. In the event of a conflict between the terms of this Addendum and the SCCs, the SCCs shall prevail.
Appendix 1 to the Independent Controller Data Processing Agreement – Standard Contractual Clauses Selections and Modifications
- The Parties agree that the selections set forth in the table below shall supplement and apply to the SCCs.
Section Reference | Concept | Selection by the Parties | |
Section IV, Clause 17 | Governing law | The Republic of Ireland | |
Section IV, Clause 18(b) | Choice of forum and jurisdiction | The Republic of Ireland | |
Annex I.A | List of parties – Data exporter | Name: HumanQ or Company, as applicable when acting as the Data Provider under the Agreement Address: As set forth in the Agreement Contact person’s name, position and contact details: As set forth in the Agreement Activities relevant to the data transferred under these Clauses: Performance of the Agreement Role: controller | |
Annex I.A | List of parties – Data importer | Name: HumanQ or Company, as applicable when acting as the Data Recipient under the Agreement Address: As set forth in the Agreement Contact person’s name, position and contact details: As set forth in the Agreement Activities relevant to the data transferred under these Clauses: Performance of the Agreement Role: controller | |
Annex I.B | Description of the Transfer | Categories of data subjects whose personal data is transferred: | Users |
Categories of personal data transferred: | Eligibility Data; User Analytics | ||
Sensitive data transferred (if applicable) and applied restrictions or safeguards: | N/A | ||
The frequency of the transfer: | On a continuous or as-needed basis in accordance with the terms of the Agreement. | ||
Nature of the processing: | As described in the Agreement. | ||
Purpose(s) of the data transfer and further processing: | For the Permitted Purposes, as applicable. | ||
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | As set forth in the Agreement or as otherwise determined by the Data Recipient in accordance with Data Protection Laws. | ||
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | As set forth above. | ||
Annex I.C | Competent Supervisory Authority | Irish Data Protection Commissioner | |
Annex II | Technical and Organisational Measures | As set forth in Section 2 of the Addendum. |
- Supplemental Business-Related Clauses. In accordance with Clause 2 of the SCCs, the Parties wish to supplement the SCCs with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects. The Parties therefore agree that the applicable terms of the Agreement and this Addendum shall apply if, and to the extent that, they are permitted under the SCCs, including without limitation the following: (a) the information required to be provided to Data Subjects under Clause 8.2(a) shall be provided by the relevant data exporter; (b) in the event of a data subject request for a copy of the clauses in accordance with Clause 8.2(c), each Party agrees to make all redactions reasonably necessary to protect business secrets or other confidential information of the other Party; (c) the terms of the Agreement governing indemnification and limitation of liability, including Section 7 of the Addendum, shall apply to each Party’s liability under Clauses 12(a), 12(c), and 12(d); (d) the termination provision(s) of the Agreement shall apply to a termination pursuant to Clause 14(f) or Clause 16; and (e) certification of deletion of Personal Data under Clause 16(d) shall be provided by the data importer upon written request of the data exporter.
- Transfers from the United Kingdom. If Data Provider transfers Personal Data to Data Recipient that is subject to UK Data Protection Laws, this Section shall apply to and modify the SCCs to the extent that UK Data Protection Laws apply to Data Provider’s processing when making that transfer. As used in this Section, “UK Addendum” means the template addendum issued by the Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of such thereof. The Parties acknowledge and agree that: (a) the information required to be set forth in “Part 1: Tables of the Approved Addendum” shall be completed in accordance with this Appendix 1; and (b) “Part 2: Mandatory Clauses” of the UK Addendum, as it is revised under Section 18 thereof, is hereby incorporated herein by reference. Either Party may end the UK Addendum in accordance with Section 19 thereof.
- Transfers from Switzerland. If Data Provider transfers Personal Data to Data Recipient that is subject to the Swiss FADP, the following modifications shall apply to the SCCs to the extent that the Swiss FADP applies to Data Provider’s processing when making that transfer: (a) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c); (b) the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss FADP; (c) references to the GDPR or other governing law contained in the SCCs shall also be interpreted to include the Swiss FADP; and (d) the Parties agree that the supervisory authority as indicated in Annex I.C shall be, insofar as the data transfer is governed by the Swiss FADP, the Swiss Federal Data Protection and Information Commissioner.